mime: avoid quadratic complexity in WordDecoder.DecodeHeader

When encountering an undecodable encoded-word, skip over the entire word rather than just the initial "=?". Fixes #79217 Fixes CVE-2026-42504 Change-Id: I28605faa235459d2ba71bd0f3ae3dce96a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/774481 Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <husin@google.com>
2026-06-27 19:30:52 +00:00 · 2026-05-05 15:20:34 -07:00 · 2026-05-05 15:20:34 -07:00 · f230dd8a1d
commit f230dd8a1d
parent eb845eca72
2 changed files with 6 additions and 2 deletions
--- a/src/mime/encodedword.go
+++ b/src/mime/encodedword.go
@ -275,8 +275,8 @@ func (d *WordDecoder) DecodeHeader(header string) (string, error) {
 		content, err := decode(encoding, text)
 		if err != nil {
 			betweenWords = false
-			buf.WriteString(header[:start+2])
-			header = header[start+2:]
+			buf.WriteString(header[:end])
+			header = header[end:]
 			continue
 		}

--- a/src/mime/encodedword_test.go
+++ b/src/mime/encodedword_test.go
@ -140,6 +140,10 @@ func TestDecodeHeader(t *testing.T) {
 		{"=?ISO-8859-1?Q?a?=  =?ISO-8859-1?Q?b?=", "ab"},
 		{"=?ISO-8859-1?Q?a?= \r\n\t =?ISO-8859-1?Q?b?=", "ab"},
 		{"=?ISO-8859-1?Q?a_b?=", "a b"},
+		// Undecodable words
+		{"=?UTF-8?b?garbage?= =?UTF-8?b?QW5kcsOp?= =?UTF-8?b?garbage?=", "=?UTF-8?b?garbage?= André =?UTF-8?b?garbage?="},
+		{"=?UTF-8?b?QW5kcsOp", "=?UTF-8?b?QW5kcsOp"},
+		{"=?UTF-8?x?y?=?UTF-8?x?y=?", "=?UTF-8?x?y?=?UTF-8?x?y=?"},
 	}

 	for _, test := range tests {